Spork v0.2.0-alpha — first public release.

2026-01-09 · release · spork

The public alpha of Spork is out: a pure-Rust, post-quantum certificate authority. After months of development we think it's ready for evaluation by people who actually run PKI for a living.

What it is

Spork is a CA built from the ground up in Rust with post-quantum cryptography as a first-class feature. Unlike traditional CAs that bolt PQ on as an afterthought, Spork was designed to sign with ML-DSA and SLH-DSA natively from day one. Classical algorithms (ECDSA, RSA, Ed25519) stayed in so existing deployments can adopt incrementally.

What's in v0.2.0-alpha

CA hierarchy    root + issuing tiers with chain validation
ML-DSA-65/87    FIPS 204 signatures throughout the chain
SLH-DSA         FIPS 205 hash-based signatures
ECDSA           P-256 + P-384 for classical interop
RSA             2048 + 4096 for legacy verifiers
ACME            certbot-compatible automatic enrollment
EST             RFC 7030 enrollment over secure transport
SCEP            legacy device enrollment
OCSP            online certificate status responder
CRLs            full + delta CRL generation
spork-shell     `repl` for CA management

Why Rust

CAs are security-critical infrastructure; memory-safety bugs in CA software have historically led to serious vulnerabilities. Building Spork in pure Rust with no OpenSSL dependency removes whole classes of bugs. The few C dependencies (SQLite, TLS) are vendored and isolated. Cryptographic primitives come from RustCrypto — well-audited pure-Rust implementations of the lattice and hash-based schemes.

How to try it

Downloads aren't public yet. The Spork page gets the link first; meanwhile if you have a concrete use case and want an early build, email hello@quantumnexum.com with a short description — happy to share builds with people who'll actually exercise them.

Licensing

BSL 1.1 (Business Source License). Evaluation and testing are free with no time limit. Production deployments require a commercial license; contact licensing@quantumnexum.com for terms.

Known limitations

• Web UI is partial — the CLI is the primary interface today.
• HSM integration is partial — SoftHSM works; hardware HSMs need testing.
• Linux x86_64 only. macOS and Windows builds depend on demand.
• Not yet security-audited. Third-party audit planned for v1.0.

Feedback

• Bugs / features: support@quantumnexum.com
• Security issues: security@quantumnexum.com
• Anything else: hello@quantumnexum.com

Per Fidem Continuamus.